ict.ken.be

Delivering solid user friendly software solutions since the dawn of time.

SAN certificate request checklist

Categories: IIS

1. Validate your identity

  • Validations Wizard - Email Address Validation - Confirmation mail - Valid for 30days
  • Validations Wizard - Domain Name Validation - Confirmation mail
  • Validations Wizard - Personal Identity Validation
  • Upload scan of both sides of identity card.
  • Upload scan of first page of international passport.
  • Confirmation call
  • Upload additional documents requested
  • Wait for email confirmation
  • Validations Wizard - Organization Validation
  • Upload scan of trademark
  • Upload scan of company registration
  • Upload scan of authorization letter
  • Wait for email confirmation

2. Create certificate signing request

  • MMC - Certificates (Local Computer) - Personal - Right-click - All Tasks - Advanced Operations - Create custom request
  • Proceed without enrollment policy - CNG Key - PKCS#10
  • Certificate Information - Click Details - Properties
  • General - Friendly name : start with astrix eg. *SAN for my domains (description is not needed, but handy)
  • Subject - Name - Add Email, Common Name (eg. *.ken.be), Organisation, Location, State, Country
  • Subject - Alternative Name - Add DNS for each domain and wildcard for sub-domains (eg. ken.be and *.ken.be)
  • Extensions - Key Usage - Add Digital signature, Key encipherment, Key agreement (a8)
  • Extensions - Extended Key Usage - Add Server Authentication, Client Authentication
  • Private Key - Key Options - Key Size >= 4096
  • Private Key - Make private key exportable
  • Private Key - Select Hash Algorithm - sha256 or higher
  • Save as base64 .csr file
  • MMC - Certificates (Local Computer) - Certificate Enrollment Request - Export the request with private key

3. Web Server SSL/TLS certificate

  • Certificates Wizard - Skip - Paste your csr - Continue
  • Add each domain and then the subdomains
  • Wait for confirmation mail
  • Toolbox - Retrieve Certificate
  • Save as .cer file
  • MMC - Certificates (Local Computer) - Certificate Enrollment Request - Import the cer file.
  • It will merge with your request and you can then export it to a .pfx that contains both public and private key.

4. Install Intermediate Certification Authorities

  • MMC - Certificates (Local Computer) - Intermediate Certification Authorities
  • Make sure all the intermediate certificates are at least sha256 or you will get 'The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.'
  • Also make sure not old sha1 stay behind in both the local and the current user store (right-click find certificate)
  • I had to reboot the server to get rid of the old intermediates.

5. Install your certificate on your server

  • IIS Root - Server Certificates - Import
  • You can now use it in your bindings (remember only on for each IP)

6. Remove cyphers that have been broken

  • Prevent Beast, Poodle, ...
  • You can do this all manually or use a simple tool like IISCrypto
  • Do not disable cyphers that you might need to remote desktop !
  • Test with SSLLabs

More
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
https://www.nartac.com/Products/IISCrypto/
https://www.ssllabs.com/ssltest/analyze.html